PWI Eclipse changes

~~denzjh~~ · 02/07/2015, 09:46

I don't use FollowPlayer Function since mine's a herbs-farmer bot but here it is anyways...

Code:

#include <NomadMemory.au3>

Global $GAME_CLIENT = "elementclient.exe"
Global $GAME_PID = ProcessExists($GAME_CLIENT)
Global $GAME_PROCESS = _MemoryOpen($GAME_PID)
Global $ADDRESS_BASE = 0xD22C74
Global $OFFSET_ACTIONBASE = 0x13EC
	
Func FollowPlayer()
	$ADDRESS_ACTION1 = 0x49FF80
	$ADDRESS_FOLLOW = 0x6820C0
	$ADDRESS_ACTION3 = 0x4A0590

	;Construct the OpCode for calling the 'FollowPlayer' function
	$OPcode = "60"                   			;60             PUSHAD

	$OPcode &= "B9" & _Hex($ADDRESS_BASE)       ;B8 00000000    MOV ECX, $ADDRESS_BASE
	$OPcode &= "8B09"            				;8B009          MOV ECX,DWORD PTR DS:[ECX]
	$OPcode &= "8B491C"          				;8B49 1C        MOV ECX,DWORD PTR DS:[ECX+1C]
	$OPcode &= "8B7128"          				;8B71 28        MOV ESI,DWORD PTR DS:[ECX+28]            ; |
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
	$OPcode &= "57"   	         				;57             PUSH EDI (EDI=0x26)
	$OPcode &= "6A07"   	         			;6A 07          PUSH 7
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION1) 	;BA 00000000    MOV EDX, $ADDRESS_ACTION1
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "8BF8"            				;8BF8           MOV EDI,EAX
	$OPcode &= "BB" & _Hex($TARGET)	  	     	;B8 00000000    MOV EBX, Target ID
	$OPcode &= "53"   	         				;53             PUSH EBX (PLAYER ID)
	$OPcode &= "8BCF"            				;8BCF           MOV ECX,EDI
	$OPcode &= "BA" & _Hex($ADDRESS_FOLLOW) 	;BA 00000000    MOV EDX, $ADDRESS_FOLLOW
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "B9" & _Hex($ADDRESS_BASE)       ;B8 00000000    MOV ECX, $ADDRESS_BASE
	$OPcode &= "8B09"            				;8B009          MOV ECX,DWORD PTR DS:[ECX]
	$OPcode &= "8B491C"          				;8B49 1C        MOV ECX,DWORD PTR DS:[ECX+1C]
	$OPcode &= "8B7128"          				;8B71 28        MOV ESI,DWORD PTR DS:[ECX+28]            ; |
	$OPcode &= "8B8E" & _Hex($OFFSET_ACTIONBASE);8B8E EC130000  MOV ECX,DWORD PTR DS:[ESI+13EC]
	$OPcode &= "6A00"   	         			;6A 00          PUSH 0
	$OPcode &= "57"   	         				;57             PUSH EDI
	$OPcode &= "6A01"   	         			;6A 01          PUSH 1
	$OPcode &= "BA" & _Hex($ADDRESS_ACTION3) 	;BA 00000000    MOV EDX, $ADDRESS_ACTION3
	$OPcode &= "FFD2"            				;FFD2           CALL EDX

	$OPcode &= "61"              				;61             POPAD
	$OPcode &= "C3"              				;C3             RETN

	InjectCode($OPcode)
EndFunc

Func InjectCode($OPcode)
	;Declare local variables

	;Open process for given processId
	$processHandle = $GAME_PROCESS[1]

	;Allocate memory for the OpCode and retrieve address for this
	$functionAddress = DllCall('kernel32.dll', 'int', 'VirtualAllocEx', 'int', $processHandle, 'ptr', 0, 'int', 100, 'int', 0x1000, 'int', 0x40)

	;Construct the OpCode for calling the function

	;Put the OpCode into a struct for later memory writing
	$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
	For $loop = 1 To DllStructGetSize($vBuffer)
		DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
	Next

	;Write the OpCode to previously allocated memory
	DllCall('kernel32.dll', 'int', 'WriteProcessMemory', 'int', $processHandle, 'int', $functionAddress[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)


	;Create a remote thread in order to run the OpCode
	$hRemoteThread = DllCall('kernel32.dll', 'int', 'CreateRemoteThread', 'int', $processHandle, 'int', 0, 'int', 0, 'int', $functionAddress[0], 'ptr', 0, 'int', 0, 'int', 0)

	;Wait for the remote thread to finish
	Do
		$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
	Until $result[0] <> 258

	;Close the handle to the previously created remote thread
	DllCall('kernel32.dll', 'int', 'CloseHandle', 'int', $hRemoteThread[0])

	;Free the previously allocated memory
	DllCall('kernel32.dll', 'ptr', 'VirtualFreeEx', 'hwnd', $processHandle, 'int', $functionAddress[0], 'int', 0, 'int', 0x8000)

	Return True
EndFunc

Already posted earlier about these Action Function Addresses in

Address Action 1 = Start Action Function (At the moment this is 0x49FF80)
Address Action 2 = Perform Action Function (Varies. Depends on the action)
Address Action 3 = Finish Action Function (At the moment this is 0x4A0590)

To trace the [Address Action 2], I check all the addresses that calls the [Address Action 1] and make break point to each. I perform some actions in the game client and wait for the breakpoint. In the breakpoint, the [Address Action 2] is called a few lines after the [Address Action 1].

For CastSkill and RegAttack functions, I did some further tracing (before and after the [Address Action 1]) to get some addresses for functions that will simplify the OpCodes.

These are the Current Addresses that is calling [Address Action 1]:

Spoiler

The PUSH Column determines the type of Action. You will find them before the Address Action 1 is called.

Also if you trace down MoveTo Function through KEYBOARD MOVE, you will notice the 'Switch function' in the code which will give you this list of Case Index and corresponding Directions:

Spoiler

This is how I repeatedly crash the PW Client.
So far I am getting results so I think my theory is somewhat correct

And yes ollydbg is a cool debugging tool!

jasty · 02/10/2015, 18:39

This thread is ridiculously useful! I'm finally getting around to automating all these **** dailies.

So far I'm able to accept quests, move around, dig items, and kill mobs. Does anyone have some code that is able to examine the quest list? I want to be able to check to see which quests / subquests are still active and how many additional mobs / items are required to complete the quest. I want to be able to check my current quest directly rather than trying to track quest completion on my own due to how many things can go wrong with that (like it's not guaranteed you're going to be credited with a kill). It would be nice to add some error handling should quests not be completed as expected.

The only reference I've been able to find on examining quests is the offset

PlayerQuestList=0x13F4

Also what's the clean way to close NPC dialogs?

~~denzjh~~ · 02/11/2015, 08:21

Quote:

Originally Posted by jasty

Also what's the clean way to close NPC dialogs?

I don't know about clean ways to close but I there's a way to start npc talks without dialogs.

Before using this function:

Code:

Func startNpcDialogue($npcId)
  local $packet, $packetSize

  $packet = '2300'
  $packet &= _hex($npcId)
  $packetSize = 6

  sendPacket($packet, $packetSize, $pid)
EndFunc

Make sure that the slope distance between your bot and the NPC has a floor value of 5. I mean Distance value like 5.1 to 5.9 units.

That's what I did in my auto world quest bot.

Remmm · 02/11/2015, 16:55

close NPC dialog

Code:

Procedure WinStruct(WinName.s)
  hProcess=OpenProcess_(#PROCESS_ALL_ACCESS, #False, Fid(GetGadgetText(#ComboBox_NamePers)))
  ReadProcessMemory_(hProcess,(#GA),@ibuf,SizeOf(ibuf),NoB)
  ReadProcessMemory_(hProcess,(ibuf+$10),@ibuf,SizeOf(ibuf),NoB)
  ReadProcessMemory_(hProcess,(ibuf+$08),@Gui,SizeOf(gui),NoB)
  ReadProcessMemory_(hProcess,(Gui+$AC),@WinDown,SizeOf(WinDown),NoB)
  While WinDown<>0
    ReadProcessMemory_(hProcess,(WinDown),@NextWin,SizeOf(NextWin),NoB)
    ReadProcessMemory_(hProcess,(WinDown+$8),@WinStr,SizeOf(WinStr),NoB)
    ReadProcessMemory_(hProcess,(WinStr+$4c),@WinNameadr,SizeOf(WinNameadr),NoB)
    ReadProcessMemory_(hProcess,(WinNameadr+0),@Name,20,NoB)
    If name = WinName
      CloseHandle_(hProcess)
      ProcedureReturn WinStr
    EndIf
    WinDown=NextWin 
  Wend
  
  ReadProcessMemory_(hProcess,(Gui+$8C),@WinDown,SizeOf(WinDown),NoB)
  While WinDown<>0
    ReadProcessMemory_(hProcess,(WinDown),@NextWin,SizeOf(NextWin),NoB)
    ReadProcessMemory_(hProcess,(WinDown+$8),@WinStr,SizeOf(WinStr),NoB)
    ReadProcessMemory_(hProcess,(WinStr+$4c),@WinNameadr,SizeOf(WinNameadr),NoB)
    ReadProcessMemory_(hProcess,(WinNameadr+0),@Name,20,NoB)
    If name = WinName
      CloseHandle_(hProcess)
      FreeMemory(*mem)
      ProcedureReturn WinStr
    EndIf
    WinDown=NextWin
  Wend
  CloseHandle_(hProcess)
  ProcedureReturn #False
EndProcedure

Code:

Procedure CloseWin(winname.s,)
  GUIFunkt=$97A3C0
  Param1= WinStruct(winname)
  Param2 = $cb115c
  If param1<>#False
    opcode.s="60"+"B9"+Reverse(Param1)+"68"+Reverse($cb115c)+"BA"+Reverse(GUIFunkt)+"FFD2"+"61"+"C3"
    Inject(opcode) 
  EndIf
EndProcedure

Code:

CloseWin("Win_NPC")

WhoMoi · 02/12/2015, 18:02

I'm trying to figure out the buff list. I found the buff counter at 0x398. According to

and

, I believe the buff list is at 0x3A0 but I'm not making any sense of it. I did try both 2 bytes and 4 bytes.

Is the buff list like the worlditemlist? I know the worlditemlist is not sorted and have to go through all 768 entries.

Also, I did find the buff ids in config.pck and tried to do search for id with CE but I get nothing.

I'm at a lost here. Any help please?

~~denzjh~~ · 02/12/2015, 19:19

Quote:

Originally Posted by WhoMoi

I'm trying to figure out the buff list. I found the buff counter at 0x398. According to and , I believe the buff list is at 0x3A0 but I'm not making any sense of it. I did try both 2 bytes and 4 bytes.

Is the buff list like the worlditemlist? I know the worlditemlist is not sorted and have to go through all 768 entries.

Also, I did find the buff ids in config.pck and tried to do search for id with CE but I get nothing.

I'm at a lost here. Any help please?

Try this:

Spoiler

buffs_str.ini

Spoiler

Code:

[Buffs]
BUFFS_DESC_1=Stun
BUFFS_DESC_2=Sleep
BUFFS_DESC_3=Slow
BUFFS_DESC_4=Physical Reflect
BUFFS_DESC_5=Plume Shield
BUFFS_DESC_6=Flame Shield
BUFFS_DESC_7=Ice Shield
BUFFS_DESC_8=Frozen
BUFFS_DESC_9=Total Intervention
BUFFS_DESC_10=SEDUCE targeted monster alter to passive attack mode
BUFFS_DESC_12=Thunder
BUFFS_DESC_13=Poison
BUFFS_DESC_14=Burn
BUFFS_DESC_15=Sandstorm
BUFFS_DESC_16=Manaleak
BUFFS_DESC_17=Bleed
BUFFS_DESC_18=Weaken
BUFFS_DESC_19=Distract
BUFFS_DESC_20=Fright
BUFFS_DESC_21=Curse
BUFFS_DESC_22=Slow
BUFFS_DESC_23=Stupefy
BUFFS_DESC_24=Blind
BUFFS_DESC_27=Increased MP recovery
BUFFS_DESC_28=Maximum HP increased
BUFFS_DESC_29=Maximum MP increased
BUFFS_DESC_30=Fortified Armor
BUFFS_DESC_31=Concentrate
BUFFS_DESC_32=Sharpen
BUFFS_DESC_33=Quicken
BUFFS_DESC_34=Dodge
BUFFS_DESC_35=Bless
BUFFS_DESC_36=Nimble
BUFFS_DESC_37=Focus
BUFFS_DESC_38=Water damage added to attack
BUFFS_DESC_39=Fire damage added to attack
BUFFS_DESC_40=Wood damage added to attack
BUFFS_DESC_41=Recovering HP
BUFFS_DESC_42=Recovering MP
BUFFS_DESC_43=Muddle
BUFFS_DESC_44=Increased movement speed
BUFFS_DESC_45=Maximum HP decreased
BUFFS_DESC_46=Intuition
BUFFS_DESC_47=Untamed Transform
BUFFS_DESC_48=Metal resistance increased
BUFFS_DESC_49=Wood resistance increased
BUFFS_DESC_50=Water resistance increased
BUFFS_DESC_51=Fire resistance increased
BUFFS_DESC_52=Earth resistance increased
BUFFS_DESC_53=Metal resistance decreased
BUFFS_DESC_54=Wood resistance decreased
BUFFS_DESC_55=Water resistance decreased
BUFFS_DESC_56=Fire resistance decreased
BUFFS_DESC_57=Earth resistance decreased
BUFFS_DESC_58=Merbreath
BUFFS_DESC_59=Essential Sutra
BUFFS_DESC_60=Spark Eruption
BUFFS_DESC_61=Alter Marrow Physical
BUFFS_DESC_62=Alter Marrow Magical
BUFFS_DESC_63=Bestial Rage
BUFFS_DESC_64=Fortified Armor
BUFFS_DESC_65=Aura of the Golden Bell
BUFFS_DESC_66=Strength of the Titans
BUFFS_DESC_67=Blood Bath
BUFFS_DESC_68=Intuition
BUFFS_DESC_69=Winged Shell
BUFFS_DESC_70=Blazing Arrow
BUFFS_DESC_71=Stormrage Eagleon
BUFFS_DESC_72=Immune to movement debuffs
BUFFS_DESC_73=Taking Water damage over time
BUFFS_DESC_74=Increased Critical Hit rate
BUFFS_DESC_75=Venomancer Transform
BUFFS_DESC_76=Invincible
BUFFS_DESC_77=Bramble Hood
BUFFS_DESC_78=Soul Degeneration
BUFFS_DESC_79=Amplify Damage
BUFFS_DESC_80=Crush Vigor
BUFFS_DESC_81=Summer Sprint
BUFFS_DESC_82=Riding speed increased
BUFFS_DESC_83=Physical attack increased
BUFFS_DESC_84=Concentration
BUFFS_DESC_85=Stimulation
BUFFS_DESC_86=Freedom
BUFFS_DESC_87=Fortitude
BUFFS_DESC_88=Holiness
BUFFS_DESC_89=Petrifaction
BUFFS_DESC_90=Immune to Fire
BUFFS_DESC_91=Immune to Water
BUFFS_DESC_92=Immune to Metal
BUFFS_DESC_93=Immune to Wood
BUFFS_DESC_94=Immune to Earth
BUFFS_DESC_95=Immune to Elements
BUFFS_DESC_96=Rampage
BUFFS_DESC_97=Subaqueous Deceleration
BUFFS_DESC_98=Subaqueous Acceleration
BUFFS_DESC_99=Aerial Deceleration
BUFFS_DESC_100=Aerial Acceleration
BUFFS_DESC_101=Land Deceleration
BUFFS_DESC_102=Explosion
BUFFS_DESC_103=Exhaust
BUFFS_DESC_104=Power of Fairy
BUFFS_DESC_105=Dexterity of Fairy
BUFFS_DESC_106=Air Blade
BUFFS_DESC_107=Element Weakness
BUFFS_DESC_108=Deep Poison
BUFFS_DESC_109=Rooting
BUFFS_DESC_110=Guardians of Earth
BUFFS_DESC_111=Frenzy
BUFFS_DESC_112=Blinding Sand
BUFFS_DESC_113=Longing for Home
BUFFS_DESC_114=Oblivion
BUFFS_DESC_115=Luck
BUFFS_DESC_116=Impact
BUFFS_DESC_117=Flame
BUFFS_DESC_118=Anger in Heart
BUFFS_DESC_119=Kindling
BUFFS_DESC_120=Burning Feet
BUFFS_DESC_121=Hard Wall
BUFFS_DESC_122=Cutting Edge
BUFFS_DESC_123=Dancing Leaf
BUFFS_DESC_124=Scorch
BUFFS_DESC_125=Vacuum
BUFFS_DESC_126=Hardened Veins
BUFFS_DESC_127=Force Field
BUFFS_DESC_128=Magic Shell
BUFFS_DESC_129=Eye for an Eye
BUFFS_DESC_130=Wind Shield
BUFFS_DESC_131=Air Lock
BUFFS_DESC_132=Enclosure
BUFFS_DESC_133=Martial Trance
BUFFS_DESC_134=Freeze
BUFFS_DESC_135=Attack Level increased
BUFFS_DESC_136=Attack Level decreased
BUFFS_DESC_137=Defense Level increased
BUFFS_DESC_138=Defense Level decreased
BUFFS_DESC_139=Recieves a Earth damage constantly.
BUFFS_DESC_140=Total Intervention
BUFFS_DESC_141=Frozen
BUFFS_DESC_142=Bless
BUFFS_DESC_143=Curse
BUFFS_DESC_144=Maximum HP increased
BUFFS_DESC_145=Sharpen
BUFFS_DESC_146=Intuition
BUFFS_DESC_147=Focus
BUFFS_DESC_148=Increased movement speed
BUFFS_DESC_149=Stealth
BUFFS_DESC_150=Super Sight
BUFFS_DESC_151=Bloodpaint
BUFFS_DESC_152=Wolf Emblem
BUFFS_DESC_153=Has a chance to evade the damage of all attacking skills.
BUFFS_DESC_154=Has a chance to evade the status of all attacking skills.
BUFFS_DESC_155=Blocks one attack that would deal lethal damage, and recovers some HP.
BUFFS_DESC_156=Soul of Vengeance
BUFFS_DESC_157=Soul of Silence
BUFFS_DESC_158=Soul of Retaliation
BUFFS_DESC_159=Soul of Stunning
BUFFS_DESC_160=Increases the healing potency from spells and potions, and reduces the cooldown of healing charms.
BUFFS_DESC_161=Decreases the healing potency from spells and potions, and increases the cooldown of healing charms.
BUFFS_DESC_162=Receives damage while attacking or spellcasting
BUFFS_DESC_163=Interrupt
BUFFS_DESC_164=Tide Form
BUFFS_DESC_165=Chill of the Deep
BUFFS_DESC_166=Voodoo
BUFFS_DESC_167=Heart Shatter
BUFFS_DESC_168=Mind Shatter
BUFFS_DESC_169=Soul Shatter
BUFFS_DESC_170=Northern Sky Waltz
BUFFS_DESC_171=Parchedblade Dance
BUFFS_DESC_172=Soulsever Minuet
BUFFS_DESC_173=Eye of the Northern Sky
BUFFS_DESC_174=Bloodletting
BUFFS_DESC_175=Spirit Bore
BUFFS_DESC_176=Edged Blur
BUFFS_DESC_177=Mist's Grasp
BUFFS_DESC_178=Falling Petals
BUFFS_DESC_179=Verdant Shell
BUFFS_DESC_180=Slows the target
BUFFS_DESC_181=Energy of Beasts
BUFFS_DESC_182=Energy of Light
BUFFS_DESC_183=Transference
BUFFS_DESC_184=Shield of Flowers
BUFFS_DESC_185=Twin Flowers
BUFFS_DESC_186=Rapid Growth
BUFFS_DESC_187=Bloody Sun
BUFFS_DESC_188=Sacrifice
BUFFS_DESC_189=Resurrect
BUFFS_DESC_190=Take x2 damage from Absorb Soul attack
BUFFS_DESC_191=Enhanced Critical Strike
BUFFS_DESC_192=Duelist's Glee
BUFFS_DESC_193=Disarmed
BUFFS_DESC_194=Weapon Disabled
BUFFS_DESC_195=Hatred Increased
BUFFS_DESC_196=Divine Bless
BUFFS_DESC_197=Awareness
BUFFS_DESC_198=Improves the MP recovery speed greatly
BUFFS_DESC_199=Will be teleported to you previous location after a short time
BUFFS_DESC_200=HP will revert to it's previous value after a short time
BUFFS_DESC_201=Unable to fly
BUFFS_DESC_202=Targets are selected at random
BUFFS_DESC_203=Aurora Blast
BUFFS_DESC_204=Arcane Defense
BUFFS_DESC_205=Reduces the chance of receiving critical hits
BUFFS_DESC_206=Increases the chance of receiving critical hits
BUFFS_DESC_207=Psionic Link
BUFFS_DESC_208=A portion of healing received will be redirected to the caster.
BUFFS_DESC_209=Death Link
BUFFS_DESC_210=HP will revert to it's previous value after a short time
BUFFS_DESC_211=Cannot be selected
BUFFS_DESC_212=Invigorate
BUFFS_DESC_213=An earth-based attack that charges up and deals damage later
BUFFS_DESC_214=Ice Prison
BUFFS_DESC_215=Spirit Fire
BUFFS_DESC_216=When attacked, may have a chance of stunning the attacker
BUFFS_DESC_218=Taking damage increases your Attack
BUFFS_DESC_219=Taking damage from enemies increase your Attack for a short time
BUFFS_DESC_220=Cornered Beast
BUFFS_DESC_221=A portion of a healing effect will be transferred to another player
BUFFS_DESC_222=Spoils of War
BUFFS_DESC_223=Attack Range Increased
BUFFS_DESC_224=Spirit Phalanx
BUFFS_DESC_225=Violet Dance
BUFFS_DESC_226=Sword Cyclone
BUFFS_DESC_227=Natural Synergy
BUFFS_DESC_229=Triggers when receiving melee damage.
BUFFS_DESC_230=Attributes Increased
BUFFS_DESC_231=Increases HP and MP recovery speed when out of battle
BUFFS_DESC_232=Increases HP and MP recovery
BUFFS_DESC_233=All damage taken is increased. This effect can stack.
BUFFS_DESC_234=You will not gain infany from engaging in PvP in this mode.
BUFFS_DESC_235=Increases Magic Resistance
BUFFS_DESC_236=Carrying the Flag
BUFFS_DESC_237=Defense Level reduced.
BUFFS_DESC_238=Increasing character's Health and Mana.
BUFFS_DESC_239=Critical Hit Rate increased.
BUFFS_DESC_240=Defense Level and Slaying Level increased.
BUFFS_DESC_241=Increases Health, Attack, and Defense Level
BUFFS_DESC_242=Increases Attack Level and Defense Level by 3
BUFFS_DESC_243=Increases character's Attack Level and Defense Level
BUFFS_DESC_244=Damage from players is reduced
BUFFS_DESC_245=Has a chance to cast a buff on yourself when attacking
BUFFS_DESC_246=Has a chance to cast a debuff on yourself when attacking
BUFFS_DESC_247=Immune to Physical damage
BUFFS_DESC_248=Immune to Metal damage
BUFFS_DESC_249=Immune to Wood damage
BUFFS_DESC_250=Immune to Water damage
BUFFS_DESC_251=Immune to Fire damage
BUFFS_DESC_252=Immune to Earth damage
BUFFS_DESC_253=Physical Reflect
BUFFS_DESC_254=Combat capability is improved.
BUFFS_DESC_255=Paralyzed
BUFFS_DESC_256=Skill damage taken is increased.
BUFFS_DESC_257=Skill Critstrike Rate taken is increased.
BUFFS_DESC_258=Specific skill''s Channelling Time is reduced.
BUFFS_DESC_259=Specific skill's damage is increased.
BUFFS_DESC_260=Glacial Embrace
BUFFS_DESC_261=Pyroshell
BUFFS_DESC_262=Absorbs most damage and constantly regenerates Health.
BUFFS_DESC_263=Increase the speed of flying
BUFFS_DESC_264=Spirit increased
BUFFS_DESC_265=Increase your Spirit, and reduce Critical Strike damage dealt to you.
BUFFS_DESC_266=Lose health upon movement
BUFFS_DESC_267=Dealt damage if distance moved is lower than the default value.
BUFFS_DESC_268=Gain special abilities if distance moved is lower than the default value.
BUFFS_DESC_269=Become invulnerable to interrupt skills while Shield is in effect.
BUFFS_DESC_270=Suffer from a periodic paralysis effect
BUFFS_DESC_271=Internal Injury
BUFFS_DESC_272=Protection of Coldness
BUFFS_DESC_273=Finishes the cooldown of Relentless Drift upon target's death
BUFFS_DESC_274=The specific skill has increased effect
BUFFS_DESC_275=Normal attacks cause additional damage
BUFFS_DESC_276=The specific skill has no cooldown
BUFFS_DESC_277=Destiny Hunter
BUFFS_DESC_278=Shadow Awakening
BUFFS_DESC_279=Luna Awakening
BUFFS_DESC_280=Dealt metal & water damage over time, stacks up to 5 times.
BUFFS_DESC_281=Lunar Physique
BUFFS_DESC_282=Increase direct damage inflicted on foes, can be used with Divine Bless.
BUFFS_DESC_283=Reduces damage taken from critical attacks
BUFFS_DESC_284=Increases physical damage dealt
BUFFS_DESC_285=Increases spell damage dealt
BUFFS_DESC_286=Increases damage taken from skills

buffs_str.ini is updated.

And please press the thanks button if this helped you. I would appreciate it.

WhoMoi · 02/12/2015, 20:12

The 0x390 got me closer. Only difference is the counter (or $i) is in multiples of 12. Thanks.

Also, here is my buff list. I noticed both yours and mine is missing 217 and 228.

Spoiler

Smurfin · 02/13/2015, 00:00

Quote:

Originally Posted by Stark77

i do it exactly like this:

follow has no packet... it will just create a sequence of move packets so dont even try. easy way is just make a loop that reads your mains (x,y) and use the autopath every 1 (or 2) seconds to it.

wow another method for sniffing packets, dumbfck is really a lot of things, despite the name

Btw I already did that, the 'autofollow' by scripting, it's very useful and even more useful with the vertical movement using flytoZ function you gave earlier, I use a hotkey to toggle it on or off and another hotkeys for manual 'go here' operations, but still..the ingame autofollow is useful in its own way. Like when I solo FSP and at the slopes going to Toad Boss, using autofollow by scripting sometimes read my main's x,y exactly at the pit coordinate between the slopes as my main passes by and cause one or two of the other chars to die falling in the pit.

Quote:

Originally Posted by Remmm

sniff packets - "PW PacketListener"

Thanks, I'll put this into my notes as well for backup.

Quote:

Originally Posted by denzjh

I don't use FollowPlayer Function since mine's a herbs-farmer bot but here it is anyways...

...snip...

This is how I repeatedly crash the PW Client.
So far I am getting results so I think my theory is somewhat correct

And yes ollydbg is a cool debugging tool!

Thanks another ton for it, and someone who shares everything is as cool as the debugging tool he's using

====
I won't be able to try all of these until a few more months when we have the Eclipse patch, but thanks in advance for any discovery for fixing whatever we once had before eclipse

WhoMoi · 02/13/2015, 01:52

I tried Ollydbg since I'd like to learn how to find what to send and such. But client keeps saying username and password is incorrect every single time I try to login with Ollydbg attached. How do ya'll get pass that?

WhoMoi · 02/14/2015, 05:50

Here is CastSkill in C# if anybody wants.

Spoiler

jasty · 02/15/2015, 16:49

So I'm trying to port this checkQuestPreset function from the WQ bot to autoit.

Spoiler

Code:

checkQuestPresent(questId, client)
{
	global

	;Get the process Id from the given client title
	winget, pid, PID, %client%

	;Get the process handle from the given client title
	If ProcessHandle%PID% = 
	{
		ProcessHandle%PID% 	:= 	DllCall("OpenProcess", "int", 2035711, "char", 1, "UInt", PID, "UInt")
		logThis("ProcessHandle: " . ProcessHandle%PID%, "main")
	}
	
	functionSize := 100
	
	;Allocate memory to store the packet to be sent, and the method to call the send packet function
	If returnAddress%PID% = 
	{
		returnAddress%PID% 	:=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle%PID%, "Uint", 0, "Uint", 0x4, "Uint", 0x1000, "Uint", 0x40)
		logThis("returnAddress: " . returnAddress%PID%, "main")
	}
	If functionAddress%PID% = 
	{
		functionAddress%PID% :=   	DllCall("VirtualAllocEx", "Uint", ProcessHandle%PID%, "Uint", 0, "Uint", functionSize, "Uint", 0x1000, "Uint", 0x40)
		logThis("functionAddress: " . functionAddress%PID%, "main")
	}


	revHex(revReturnAddress, returnAddress%PID%)	
	revHex(revQuestId, questId)
	revHex(revQuestFunctionAddress, questFunctionAddress)
	revHex(revBaseAddress, realBaseAddress)
	revHex(revQuestFunctionOffset, questFunctionOffset)
	revHex(revPlayerOffSet, playerOffSet, 2)


	;60 			PUSHAD
	;B8 80 45 66 00 	MOV     EAX, 00664580
	;8B 0D 7C 65 98 00 	MOV     ECX, DWORD PTR [98657C]
	;8B 49 1C 		MOV     ECX, DWORD PTR [ECX+1C]
	;8B 49 30 		MOV     ECX, DWORD PTR [ECX+34]
	
	;8B 89 DC 0D 		MOV     ECX, DWORD PTR [ECX+DDC]
	;68 DD 06 		PUSH    6DD
	;FF D0 			CALL    NEAR EAX
	;A3 32 54 76 98 	MOV     DWORD PTR [98765432], EAX
	;61 			POPAD
	;C3			RET


	func =					
	func = %func%60					;PUSHAD
	func = %func%B8%revQuestFunctionAddress%	;MOV     EAX, questFunction
	func = %func%8B0D%revBaseAddress%		;MOV     ECX, DWORD PTR [baseAddress]
	func = %func%8B491C				;MOV     ECX, DWORD PTR [ECX+1C]
	func = %func%8B49%revPlayerOffSet%				;MOV     ECX, DWORD PTR [ECX+playerOffSet]
	func = %func%8B89%revQuestFunctionOffset%	;MOV     ECX, DWORD PTR [ECX+questFuncOffset]
	func = %func%68%revQuestId%			;PUSH    questId
	func = %func%FFD0				;CALL    NEAR EAX
	func = %func%A3%revReturnAddress%		;MOV     DWORD PTR [returnAddress], EAX
	func = %func%61					;POPAD
	func = %func%C3					;RET


	MCode(checkQuestFunction, func)
	
	
	DllCall("WriteProcessMemory", "UInt", ProcessHandle%PID%, "UInt", functionAddress%PID%, "Uint", &checkQuestFunction, "Uint", functionSize, "Uint *", 0)
	
	
	
	
	SetFormat, IntegerFast, d
	
	hThrd := DllCall("CreateRemoteThread", "Uint", ProcessHandle%PID%, "Uint", 0, "Uint", 0, "Uint", functionAddress%PID%, "Uint", 0, "Uint", 0, "Uint", 0)
	loop
	{
		result := DllCall( "WaitForSingleObject", UInt,hThrd, UInt,50 ) 
		if(result <> 258)
		{
			break
		}
		sleep 50
		if(A_Index > 100)
		{
			break
		}
	}
	
	
	local returnValue := readMemory(returnAddress%PID%, client)
	
	DllCall( "CloseHandle", UInt,hThrd )
	
	;DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", functionAddress, "Uint", 0, "Uint", 0x8000)
	
	;DllCall("VirtualFreeEx", "Uint", ProcessHandle, "Uint", returnAddress, "Uint", 0, "Uint", 0x8000)
	
	;DllCall( "CloseHandle", UInt,ProcessHandle ) 
	
	return returnValue
	
}

Here's what I have:

Spoiler

All it does is crash

This is the OPcode it generates...
60B840E089008B0D742CD2008B491C8B49288B89F41368DD67 FFD0A30000C90861C3
and while I'm no ASM expert it looks pretty similar to the sample provided in the source
60B8804566008B0D7C6598008B491C8B49308B89DC0D68DD06 FFD0A33254769861C3

Anyone can see where I am screwing up? Been stuck at this for a while. Also if anyone has any Quest related knowledge to drop here I'd be grateful. I'm trying to make a bot to take care of Morai / Primal / Faction Base dailies. While I can talk to NPCs fine I don't know how to examine quests yet.

EDIT:
OK I rewrote the ASM it and can now get back a value... but all it seems to do is give me a pointer to the quest struct.. I guess that's kinda useful but it doesn't have any progress or availability info it. maybe this can be of use to someone smarter than me.

Spoiler

Maybe this is the wrong function

I got the 0x89E040 offset from the Jawq thread.
Again if anyone has questing knowledge feel free to point me at somewhere. Thanks.

WhoMoi · 02/20/2015, 21:56

My client keeps getting crashing with CastSkill. Sometimes few minutes, sometimes few hours.

I'm wondering if I'm using the correct thing for SkillPointer. I used 0x1418 that points to my skill structure. Then I tried 0x1418+skillindex.

I'm surprised they both worked but both will eventually crash the client.

Help?

I keep getting this if I debug it.

Spoiler

jasty · 02/21/2015, 03:31

Here's my cast skill function that also checks cooldown before calling the version takes a pointer. I've had no problems with it.

Spoiler

Anyone has the opcode to inject for jump? Some instances require a little jumping in spots to get through.

Asprin · 02/27/2015, 22:01

Hi guys. Can anyone tell me offsets for friend list structure? Thanks

jasty · 02/27/2015, 22:27

I finally figured out how to read quests!

QuestList = [[[[BA+0x1C]+0x28]+0x13F4]+0x8]
Quest Count = QuestList+0x0 (1 Byte) includes invisible quests
Visible Quest Count = QuestList+0x4 (1 Byte)
QuestID = QuestList + 0x8 + 0x20*i (2 bytes, i = 0 to Count)
Monster Kill Count = QuestList + 0x8 + 0x20*i + 0x15

I'm sure there are more fields inside the 32 byte quest struct but I really needed Mob kill count for my daily bot.